From 2961493b849d2a91f1a2fda6e0385541f505da86 Mon Sep 17 00:00:00 2001
From: Otto <otto.moerbeek@open-xchange.com>
Date: Fri, 5 Feb 2021 13:20:30 +0100
Subject: [PATCH] Fix compilation on CentOS-7, which lacks
 gnutls_session_set_verify_cert().

Make explicit gnutls only validates the certificate if a server hostname is given.
---
 docs/manpages/sdig.1.rst | 4 +++-
 m4/pdns_with_gnutls.m4   | 2 +-
 pdns/tcpiohandler.cc     | 6 +++++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/docs/manpages/sdig.1.rst b/docs/manpages/sdig.1.rst
index eeda8dc29e..2787d4ca97 100644
--- a/docs/manpages/sdig.1.rst
+++ b/docs/manpages/sdig.1.rst
@@ -44,7 +44,9 @@ dot
 insecure
     when using DoT, do not validate the server certificate.
 subjectName *name*
-    when using DoT, verify the server certificate is issued for *name*.
+    when using DoT, verify the server certificate is issued for *name*. The `openssl` provider will accept an empty name and still
+    make sure the certificate is issued by a trusted CA, `gnutls` will only do the validation if a name is given.
+    Default is the empty name.
 caStore *file*
     when using Dot, read the trusted CA certificates from *file*. Default is to use the system provided CA store.
 tlsProvider *name*
diff --git a/m4/pdns_with_gnutls.m4 b/m4/pdns_with_gnutls.m4
index 3bfae0245c..33ebf4409e 100644
--- a/m4/pdns_with_gnutls.m4
+++ b/m4/pdns_with_gnutls.m4
@@ -18,7 +18,7 @@ AC_DEFUN([PDNS_WITH_GNUTLS], [
         save_LIBS=$LIBS
         CFLAGS="$GNUTLS_CFLAGS $CFLAGS"
         LIBS="$GNUTLS_LIBS $LIBS"
-        AC_CHECK_FUNCS([gnutls_memset])
+        AC_CHECK_FUNCS([gnutls_memset, gnutls_session_set_verify_cert])
         CFLAGS=$save_CFLAGS
         LIBS=$save_LIBS
 
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index b510dd03a9..6c57485d8d 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -734,13 +734,17 @@ public:
     gnutls_handshake_set_timeout(d_conn.get(), timeout * 1000);
     gnutls_record_set_timeout(d_conn.get(), timeout * 1000);
 
-    if (!d_host.empty()) {
+#if HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
+    if (validateCerts && !d_host.empty()) {
       gnutls_session_set_verify_cert(d_conn.get(), d_host.c_str(), GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN);
       rc = gnutls_server_name_set(d_conn.get(), GNUTLS_NAME_DNS, d_host.c_str(), d_host.size());
       if (rc != GNUTLS_E_SUCCESS) {
         throw std::runtime_error("Error setting the SNI value to '" + d_host + "' on TLS connection: " + std::string(gnutls_strerror(rc)));
       }
     }
+#else
+    /* no hostname validation for you */
+#endif
   }
 
   IOState tryConnect(bool fastOpen, const ComboAddress& remote) override
-- 
2.47.2